Zones and Default Settings
It’s always good practice when developing web pages to test them in browsers with default settings as it is most likely that your users will have default settings when using their browsers. One thing that we’ve seen catch a couple of people out with IE is that the default settings can be a little different depending on the security zone the page is running in.
Many of you will be familiar with the different security zones in Internet Explorer with the internet and intranet zones being two that you may see on a regular basis in the status bar of IE. By default the security settings for content running in the internet zone are a little more restrictive than those for content running in the intranet zone. One example is that in IE7 under default security settings a web page running in the internet zone may not write text to the IE status bar using the window.status method call, whereas the call is allowed in the intranet zone. This restriction was introduced in IE7 as part of the security work to reduce spoofing and ensure that content on the internet cannot directly influence the area of the browser outside the HTML rendering area.
During development of web pages content is often supplied by a local server and as a result runs in the intranet zone. Later when the pages are deployed and accessed from the internet the same content runs in the internet zone. As a result a call to set window.status that worked during development no longer functions.
To avoid these differences and have content run in the internet zone despite it originating on the intranet you can add the Mark Of The Web (MOTW) to pages. The MOTW is a comment that should be placed at the start of the HTML page to show that the content is from the internet in the form <!-- saved from url=(0014)about:internet -->. Including the MOTW in pages and checking that you have default security settings during development can help ensure that you are experiencing the same settings as users of IE on the internet will have when your pages are deployed.
On a separate topic I’d like to note that this will be my last post here. After eleven great years at Microsoft it is time for me to move on to new adventures. I know that the IE team will continue to work on future versions of IE, supplying a great and secure browsing experience for Windows. I am looking forward to seeing the next releases of the product.
Thanks,
Dave Massy
Senior Program Manager
Comments
Anonymous
February 13, 2007
That doesn't seem to work for me... where EXACTLY is it supposed to go? No matter where I put it IE still tells me "Local Intranet" as my zone...Anonymous
February 13, 2007
Hmm, I read the linked document (probably should have tried that before the last comment) but it still doesn't seem to work... keeps telling me "Local intranet" Perhaps I'm doing something wrong.Anonymous
February 13, 2007
Bye Dave, it was good to have you around here and spreading info about IE.Anonymous
February 13, 2007
A page on your computer should show "My Computer" (or "Computer"?) as the zone without the comment, and "Internet" with it. You might have to re-open your page in a new window to see the difference.Anonymous
February 13, 2007
I'm sad to see you go Dave. Thanks for all you have done to help jumpstart IE back to life, and for being a public face for the team. Best of luck in your new ventures.Anonymous
February 13, 2007
Wow, Dave, you're going... never expected that. Good luck with what you're going to do now :)Anonymous
February 13, 2007
@Dave Massy I have seen your videos on Channel9 and I am sad now that you decided to leave the IE team. You were a very personable PM at Microsoft. I wish you good luck and all the best for your new adventures.Anonymous
February 14, 2007
@ Dave Massy Hi Dave, I'm sorry to hear you're leaving Microsoft, and more importantly the IE Team. I sincerely wish you success in your next endeavour.Anonymous
February 14, 2007
The comment has been removedAnonymous
February 14, 2007
I just made a post on the IE Team blog regarding Zones and Mark of The Web . It's always a good ideaAnonymous
February 14, 2007
@Dave Massy Please don't go away, I love you!Anonymous
February 14, 2007
"ask someone... oh, its called "Active Scripting"... that makes sense... not!" Since you're speaking about non technical users, Active Scripting makes a lot more sense to a user than JavaScript. Throwing names at users who do not script/program is a bad thing to do.Anonymous
February 14, 2007
Best wishes for your future adventures, Dave.Anonymous
February 14, 2007
Dave has announced that he is leaving Microsoft: http://blogs.msdn.com/dmassy/archive/2007/02/14/zones-testing-and-dave.aspxAnonymous
February 14, 2007
"ask someone... oh, its called "Active Scripting"... that makes sense... not!" Maybe they should drop the "active" bit, but it definitely shouldn't read Javascript. After all, IE comes with two scripting engines: JScript and VBScript, and this setting applies to them both. Also note that neither of them is actually called Javascript. JScript is the Microsoft implementation of the ECMAScript standard which was based on the original Javascript. I do agree with your main point though, that these settings are burried to deep.Anonymous
February 14, 2007
Dave, thanks for your work, and thanks for blogging here!Anonymous
February 14, 2007
My scanner dontw ork afte instal IE7Anonymous
February 15, 2007
"Also note that neither of them is actually called Javascript. JScript is the Microsoft implementation of the ECMAScript standard which was based on the original Javascript." This is nitpicking. They're both the same concept.Anonymous
February 15, 2007
Wenn man Webseiten entwickelt, testet man diese wohl meistens erstmal lokal. Nun verwendet der Internet Explorer aber für das Internet und lokale Seiten unterschiedliche Sicherheitseinstellungen (die Sicherheitszonen, zu finden in den InternetoptionAnonymous
February 15, 2007
The problem with "Active Scripting" is that it doesn't actually map to anything. Most users, will associate "Active" with "Active-X", and thus start disabling... On the other hand, most that have used the web for more than 15min, know about something called JavaScript... they may not know what exactly it is, but they certainly do know about it by name. I'd be fine with "Active Script (JScript/VBScript)" or something that at least identifies what it is that "Active" refers to. Google for "disable javascript" (~385,000 hits) http://www.google.com/search?hl=en&q=%22disable+javascript%22&btnG=Search&meta= Google for "disable active script" (~590 hits) http://www.google.com/search?hl=en&q=%22disable+active+script%22&btnG=Search&meta= I'll play the "conspiracy theory" card here ;-) and guess that originally it wasn't called JavaScript because of the association with Netscape, but I think these days, its not worth the confusion. e.g. AJAX stands for...? http://www.google.com/search?hl=en&q=%22disable+javascript%22&btnG=Search&meta= but i digress, the main issue is that the dialog is just shy of very-un-user-friendly and I thought I'd point it out here (since there is no IE Feedback!)Anonymous
February 15, 2007
"On the other hand, most that have used the web for more than 15min, know about something called JavaScript..." That's a pretty bad assumption.Anonymous
February 15, 2007
Dave has announced that he is leaving Microsoft: http://blogs.dotnethell.it/vincent/Dave-Massy-IE-Team-lascia-MS__9781.aspx Good luck, Dave and thank you for your great work.Anonymous
February 15, 2007
It's called Active Scripting because it used to be called OLE Scripting, and like many things with the OLE name, it got changed to Active. OLE Scripting -> Active Scripting. OLE Accessibility -> Active Accessibility. OLE Controls -> ActiveX Controls -- this is actually the exception since ActiveX is used for both controls and for the overarching COM technology.Anonymous
February 16, 2007
The comment has been removedAnonymous
February 16, 2007
This is great, I was looking for MOTW as I had misplaced this tiny script. Placed it just above the closing header element and it works as usual. I don't get why some people say, "Have a safe trip" as tripping is not safe! Anyway, best of luck to you in your future endeavors!Anonymous
February 18, 2007
Tell the update team to STOP messing with my default settings! I just updated all those security patches and my email program is no longer the right one! (Thunderbird) It seems that as soon as the update is applied, Microsoft Outlook Express or Microsoft Outlook is now the default email program! Excuse me, but I did not ask for this, please do not mess with user settings when applying updates, or you will find users (like me) avoiding applying an update, for fear of the update messing with my settings. ie. what other settings have you changed? unhappy camperAnonymous
February 18, 2007
@Aedrin Ok, maybe 15min is a little sarcastic, but the point is that if I mentioned JavaScript in conversation with strangers, they'd likely know what I'm talking about... if I talk about Active Scripting, most wouldn't have a clue. I mean, lets face it, it took how many years for MS to get rid of Clippy?!... If we don't tell microsoft whats wrong with their software, and we don't keep pestering them about it, it will never change. They can call it Goat Cheese for all I care, as long as getting to the setting, is easy, and intuitive, and user friendly... and not a chore.Anonymous
February 18, 2007
good work dave !! wish u success in your future mission.Anonymous
February 19, 2007
The comment has been removedAnonymous
February 19, 2007
"They can call it Goat Cheese for all I care," I thought the whole argument was about calling it the right thing.Anonymous
February 19, 2007
@Aedrin "I thought the whole argument was about calling it the right thing." True, but you seemed dead set against that, so rather than argue till the sun turns blue about it, I'd rather focus on the fact that the dialog / contents is extremely user-un-friendly. If the layout was fixed, then finding "JavaScript" or all things to do with script, would be a piece-o-cake.Anonymous
February 19, 2007
WHERE ARE THOSE MUI'S AND LIP'S?????WHY you are so dishonest about this??!Anonymous
February 20, 2007
"I'd rather focus on the fact that the dialog / contents is extremely user-un-friendly." You mean developer un-friendly?Anonymous
February 20, 2007
@Brent: The Outlook team would like to help resolve the problem you've encountered. Please send me a message at ericlaw at microsoft dotcom so I can collect a little more information about the problem. Thanks!Anonymous
February 21, 2007
I am sorry that I missed this intially, but in a recent post on the IE team blog Dave Massy a SeniorAnonymous
February 21, 2007
I added an add-on on to ie7. and along with this addon comes a program bonour on my toolbar. My system slowed down. I had to unistall ie7 and go back to 6. Well this program bonour I couldn't get rid of. My system crashed and I lost everything. Are these addons tested?Anonymous
February 23, 2007
I am hoping that someone familiar with the inner workings of IE7 can help with this problem. I have used this type of VBSCRIPT code on an ASP page for several years to launch a program on a server from an ASP page: Dim sh set sh = Server.CreateObject("WScript.Shell") sh.Run("any-program.exe", 0 , TRUE) The code breaks when I installed Internet Explorer 7 (IE7) on a Windows 2003 Server. The error is "permission denied". The error goes away when I uninstall IE7. The code works when I uninstall IE7 from the server. There is some configuration setting or software change that IE7 is adding to the server that causes this bug. Does anybody know a workaround? Thanks!Anonymous
April 23, 2007
IE zónák és biztonság és ellenőrizzük a lapokat default beállításokkal IEBlog: http://blogs.msdn.com